Sydney security researcher Troy Hunt – who was able to crack 53 per cent of the exposed hashed passwords in 45 seconds – labelled in a blog post on Wednesday evening as "woefully inadequate" the type of cryptography used by the ABC to store the passwords. Had he spent more time cracking the passwords, Mr Hunt wrote, it would have yielded more results.

That evidence has to do with a criminal on an underground forum asking hackers to crack the hashed password for the administrator admin@abc.net.au account used for the Making Australia Happy website. The cracked password of the developer who made the website was also requested and a hacker took up the offer after payment of $3 per password was offered.

Advertisement

When a user entered their information into the Making Australia Happy website they were advised not to provide their real name in the nickname field and also told that the information they provided (minus email address and password) would be displayed on a public map of Australia.

Information submitted included a user's nickname (user name), email address, password, age range, gender, postcode and the text of what they said made them happy. Other information was also collected by the website behind the scenes, which included a user's IP address and estimated latitude and longitude.

But now that the information collected by the ABC has been hacked and published - including email addresses and passwords, which can be cracked - anyone looking at it online is able to link the information back to many of the users' real names just by using their email address.

Furthermore, a criminal could use the information to steal someone's identity. As many people use the same password across many sites (a very bad but convenient practice), a criminal could make use of a user's password being exposed and log in to something like their Gmail.

Guy Gadney, director of The Project Factory, said the company was contracted by Heiress Films to produce the Making Australia Happy website for the ABC in 2010. "Any issues regarding security and data breaches are a matter for the ABC," Mr Gadney said.

"What we've got here are hashes, or in other words the output of a one-way cryptographic process," Mr Hunt wrote of the way the ABC website stored users' passwords. "Done right, hashes provide good protection in the case of a data breach (such as what we've got here) as they can't be un-hashed. Done wrong, hashes can be re-calculated en masse and effectively 'cracked' thus disclosing the original plain text password (also what we've got here)."

In his blog post, Mr Hunt explains how in 45 seconds he was able to crack about 53 per cent of the total 49,561 hashed passwords. With more time and a larger dictionary he said he would have cracked more, which another security expert decided they would attempt to do.

The federal privacy commissioner, Timothy Pilgrim, told The Australianhe would not be investigating the incident. He said he was pleased with the ABC's handling of it and that consumers could lodge a complaint with his office if they were not satisfied.

A Twitter user who first linked to the hacked database called Phr0zenMyst said: "ABC hacked for giving a platform to Geert Wilders to spread hatred #OpWilders - database leaked!"

Late on Wednesday afternoon the ABC began emailing affected users. The email included a link to a question and answer page about the breach on its site, which recommended that people change the password they used on other online services if it was the same one used to join the ABC site.

In a statement, the ABC on Thursday said that it had been in touch with external security agencies, such as the Australian Federal Police and AusCERT, to ensure it was "doing everything possible to prevent further breaches".

"The ABC is taking immediate steps to check all of our external websites that are developed and hosted outside of the ABC to asses security," it said. "This will include confirming with external partners their security practises and technologies."